Annex A TERMS OF REFERENCE Virtual Private Network (VPN) tunnel installation and Very Small Aperture Terminal (VSAT) internet connectivity for Migration Information and Data Analysis Systems (MIDAS) at ports of entry in Somalia Introduction Since 2007, the International Organization for Migration (IOM) has been assisting Somalia in strengthening its Immigration and border management in order to promote safe migration and mitigate security threats. In partnership with Departments of Immigration in Somalia, IOM has been supporting the upgrade of infrastructure and equipment at the various ports of entry, review of Immigration legislation and policy, organization capacity development, support to Inter-agency /regional cooperation and Border Information Management (BIM) through installation of Migration Information and Data Analysis Systems (MIDAS). The MIDAS Software has been designed by IOM to enable States with no or inadequate data capture system to equip themselves and have the operational means to take up the challenge of enhanced migration management. The system enables to collect, process and store travellers information, including bio-data, at entry and exit border points, for the purpose of idenfication, authentication, data collection and analysis. It contributes to better monitor border movements but also shape reactive migration and border management policies. To date thirteen ports of entry in Somalia have the system installed with an increased need to reach more ports OF entry thus, the need for enhanced connectivity at all the ports of entry to ensure timely and safe data exchange and back-up on central servers for maximum security at the ports of entry in Somalia thereby mitigating any security threats. To achieve this IOM, wishes to engage the services of a competent internet service provider /solutions company in Somalia with the right capacity to install a VPN tunnel and provide a VSAT internet for connectivity of the MIDAS at the various ports of entry with a readily available 24/7 technical client support services. Headquarters: 17 route des Morillons C.P. 71 CH-1211 Geneva 19 Switzerland Tel: +41.22.717 91 11 Fax: +41.22.798 61 50 E-mail: hq@iom.int Internet: http://www.iom.int
2 Objective: To provide a VPN Connectivity and VSAT Internet Service to ports of entries with MIDAS in FGoS (Federal Government of Somalia) and Puntland state Departments of Immigration. Target: The project targets connectivity of 8 ports of entries in FGoS and Puntland state Immigration Departments already using MIDAS. The Proposed Technical Connectivity Solution The proposed solution should enhance reliable communications between Immigration headquarters and remote sites with maximum availability throughout using internet cloud with a remote VPN connection that provides remote access to the end users, through a private network, each remote user or station can directly access the headquarter network without any congestion or restriction using the internet cloud, secure VPN tunneling will encrypt all requests from the remote access point to provide encryption between the remote stations and the headquarter, the below approaches are vital: a) Either using a satellite VSAT connection for each remote site/port of entry b) Or an existing Internet infrastructure, depending on the bandwidth requirement for each station, many employees can access the VPN simultaneously. The Solution Requirements and considerations a) Firewall- Cisco IOS Firewall helps ensure your networks availability and the security of department's resources by protecting any network threats - and application-layer attacks. The VPN configuration and policies should be configured in the firewall to filter any packets outside and inside the network. Less resources of equipment will be used as the network scale is small and in the near future will be upgraded into medium and large scale infrastructure. b) Router- Cisco IOS router will be used at the HQ to provide any routing requirements inside the headquarter and enhance the packet forwarding between stations, this router can be eliminated using a layer 3 switch depending on the number of employees inside the headquarter, provide a full control of packet filtering and path selection to minimize the tcp/ip overhead. c) Switches- Layer 3 cisco switches will be used in each remote station for their local network to help increase the performance of packet forwarding, and more connection reliability to the VPN access, all the work stations will be connected to this switch and can simultaneously access the network without any delay.
3 Figure 1. On VPN Design topology using local ISP Connections The solution should be capable of the following in addition to the basic WAN connectivity and ability to access the headquarter but also provide: a) Extend geographical connectivity b) Reduce operational costs versus traditional WANs c) Reduce transit times and traveling costs for remote users d) Improve productivity e) Simplify network topology The features needed in a well-designed VPN should incorporate these items: a) Security b) Reliability c) Scalability d) Network Management e) Policy Management Based on the type of VPN (remote-access), you need to put in place certain components to build your VPN. These might include: a) Desktop software client for each remote user b) Dedicated hardware such as a Cisco VPN Concentrator or a Cisco Secure Firewall c) Dedicated VPN server for dial-up services / Firewall or router
Duties and Responsibilities: 4 Under the overall supervision of IOM Somalia Chief of Mission (COM) and the direct supervision of the IBM (Immigration and Border Management) Project Manager IBM (PM), the contracted firm will be responsible for the following duties and tasks. 1) Develop and create a VPN tunnel between the ports of entry locations and also provide a Support management of VPN Services. 2) The VPN must have a layer two tunnelling Protocol/Internet Protocol security (L2TP/IPSec) over an intermediate network. 3) All necessary hardware, cabling and software (if required for Internet service) should be provided and set up by the contractor 4) Free and unlimited technical support to the VPN system installed 5) Free and unlimited technical support to the VPN system installed 6) The selected contractor must provide weekly reports on network performance, utilization and usage analysis. 7) The contractor must undertake the responsibility of the Internet connection and also have an especial internet backup for the VPN connection, which will be used when there is no an Internet for whole. 8) Install site-to-site VPN connections to enable immigration departments have routed connections between separate offices or with one to another point of entry over a public network while helping to maintain secure communications. 9) Installation of VSAT connection for supporting the broadband internet connection between the points of entry for the immigration Departments in FGoS and Puntland 10) Establish a permanent monitoring system in conjunction with the technical supervisor on each site in order to ensure provision of a dedicated bandwidth required and a stable Internet connection; such system should be accessible. 11) Establish 2 or 3 technical repair teams, capable of a rapid intervention on any site at the ports of entry 12) Set up a help desk service available to the client 24/7 and provide all necessary information on such service. 13) Training of immigration IT officers and IOM-IT staff in each site with regards to the operation of the system and operational support arrangements. This training should take place as part of the installation of maintenance system. As an additional option, the contractor should also offer a more specialized training on the connectivity and VSAT solution, with a possibility of certifying IOM technical personnel in the VSAT and the connectivity system. 14) All administrative and logistics support involved with the maintenance of this network and connectivity will be responsibility of the service provider for the next six months after installation. 15) The Contractor is responsible for ensuring that all necessary items are appropriately insured against all risks including damage caused by fire, flood and lightning strikes in respect of its property and any equipment used in the execution of the service. 16) The Contractor must be a telecommunication company or Internet Service Provider who owns and operates the internet facilities starting from the local loop up to the internet gateway, and also can cover all areas in Somalia in FGoS and Puntland state.
5 17) The Connection should have a 24-hours-per-day, 7 days-per-week access. Deliverables: 1) An accurate assessment of the current capacity and structure and concrete recommendations to improve the connectivity system at the all ports of entry. 2) Install internet connectivity with VPN tunnels at the ports of entry in Puntland and FGoS 3) Install VSAT connection for supporting the broadband internet connection between the ports of entry 4) Set up a help desk service available to the client 24/7 and provide all necessary information on such service. 5) A perfect development of the current capacity and structure and concrete recommendations to improve the connectivity issues between the points of entry at FGoS and Puntland 6) Training of immigration IT officers and IOM-IT staff in each site with regards to the operation of the system and operational support arrangements 7) Provide technical support for regional networks and regional events Time schedules of Deliverables The company will be responsible for coordinating work with appointed technical team in order to achieve greater efficiency in the ports of entry connectivity system enhancement. 1) The installation of the VPN connectivity system to all ports of entry will be done after and up to within 30 days upon signature of the contract. 2) Installation of the VSAT internet services will be done at all the ports of entry to within and up to 45 days 3) All installation works should be accomplished and connection launched within 90 days days after the signing of the Contract. 4) The Connection should have a redundant connectivity which ensures 100% network availability. 5) Effective and efficient communication and connectivity/network design between 8 ports of entry completed within 90days
6 Hardware and Software Requirements for VPN Installation/Configuration No. Device Name Description Qty 1. Cisco Router CISCO2951-SEC/K9,Security Bundle w/sec license PAK 2 2. Cisco Switch (WS- Cisco Catalyst 3560-C Switch 8 GE, 2 x Dual Purpose 7 C3560CG-8TC-S ) Uplink, IP Base 3. Cisco Firewall Cisco ASA 5505; with Security bundle 2 4. VSAT 1.8M, Azimuth 0 0-360 0, elevation 1 0 ~80 0, Relative Humidity 100% 7 No. Tasks on Installation and Configurations Quantity 1. Installing Power Backups, inverters All Ports of Entry 2. Installing Cisco Router, Switch and Firewall. All Ports of Entry 3. Basic Configuration of Router, Switch and Firewall. All Ports of Entry 4. Installing and enabling security bundles in firewall and Cisco All Ports of Entry router. 5. Configuring VPN Tunnels for the remote users. All Ports of Entry 6. Configuring IP security to provide 3des 256 encryption key. All Ports of Entry 7. Configuring Remote VPN with Public IP Address. All Ports of Entry 8. Testing and verifying configurations All Ports of Entry 9. Installing VSAT All Ports of Entry 10. Training of IT technical staff All Ports of Entry For consulting firms/companies participating in the call for proposals, provide the following: Provide an outline of technical and financial proposal including proposed methodology, time schedule and work plan for the consultancy; Company Profile (including the names of owners, key officers, technical personnel attached to this project with their relevant CV s) Company's Articles of Incorporation, Partnership or Corporation, whichever is applicable, including amendments thereto, if any. Certificate of Registration from host country's Security & Exchange Commission or similar government agency/department/ministry Valid Government Permits/Licenses in Somalia Audited Financial/Bank Statements for the last 3 years Certificates from the Principals (e.g. Manufacturer's Authorization, Certificate of Exclusive Distributorship, Any certificate for the purpose, indicating name, complete address and contact details) List of contracts entered into for the last 3 years(indicate whether completed or ongoing) in related works Organizational Structure / Organogram CVs of Key technical Staff Detailed proposal for the work with clear implementation framework
7 A. Data, Local Services, Personnel and Facilities to be provided by IOM a) IOM Somalia Nairobi coordination offices will conduct a briefing to Service provider/consulting firm at the beginning of the contract. b) The payment to the service providers/consulting firms is all inclusive. The expenses shouldered if any by IOM, through facilitation of IOM for air travels to, local transport and accommodation in Somalia will be deducted from the final payment to the contracted firm.